starred/dehydrated
1
0
Fork 0
mirror of https://github.com/dehydrated-io/dehydrated.git synced 2026-01-13 23:23:32 +01:00
Code Issues 79 Packages Projects Releases 10 Wiki Activity

OCSP fetch breaks down with libressl 2.9.1 #506

New Issue
Closed
opened 2025-12-29 01:26:27 +01:00 by adam · 2 comments
adam commented 2025-12-29 01:26:27 +01:00
Owner
Copy Link

Originally created by @javobalazs on GitHub (Nov 9, 2020).

Hi Lukas,
Apparently, during ocsp fetch LibreSSL 2.9.1 behaves like OpenSSL 0x or 1.0x, at least with the -header "HOST" ... parameter, so version checking is not THAT straightforward :)
I only have access to LibreSSL 2.9.1. I guess LibreSSL 3+ is okay but I couldn't try it. The fix below works for LibreSSL 2.9.1. Moreover, this is the only place in dehydrated where openssl's version is checked.
Regards,
javobalazs

Patch:

--- dehydrated.orig	2020-11-09 18:39:35.133546872 +0100
+++ dehydrated.new	2020-11-09 17:59:59.443399991 +0100
@@ -1664,7 +1664,7 @@
       if [[ "${update_ocsp}" = "yes" ]]; then
         echo " + Updating OCSP stapling file"
         ocsp_timestamp="$(date +%s)"
-        if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then
+        if grep -qE "^(openssl (0|(1\.0))\.)|(libressl (1|2)\.)" <<< "$(${OPENSSL} version | awk '{print tolower($0)}')"; then
           ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" | _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}"
         else
           ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}"
Originally created by @javobalazs on GitHub (Nov 9, 2020). Hi Lukas, Apparently, during ocsp fetch LibreSSL 2.9.1 behaves like OpenSSL 0x or 1.0x, at least with the `-header "HOST" ... ` parameter, so version checking is not THAT straightforward :) I only have access to LibreSSL 2.9.1. I guess LibreSSL 3+ is okay but I couldn't try it. The fix below works for LibreSSL 2.9.1. Moreover, this is the only place in dehydrated where openssl's version is checked. Regards, javobalazs Patch: ```patch --- dehydrated.orig 2020-11-09 18:39:35.133546872 +0100 +++ dehydrated.new 2020-11-09 17:59:59.443399991 +0100 @@ -1664,7 +1664,7 @@ if [[ "${update_ocsp}" = "yes" ]]; then echo " + Updating OCSP stapling file" ocsp_timestamp="$(date +%s)" - if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then + if grep -qE "^(openssl (0|(1\.0))\.)|(libressl (1|2)\.)" <<< "$(${OPENSSL} version | awk '{print tolower($0)}')"; then ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" -header "HOST" "$(echo "${ocsp_url}" | _sed -e 's/^http(s?):\/\///' -e 's/\/.*$//g')" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}" else ocsp_log="$("${OPENSSL}" ocsp -no_nonce -issuer "${chain}" -verify_other "${chain}" -cert "${cert}" -respout "${certdir}/ocsp-${ocsp_timestamp}.der" -url "${ocsp_url}" 2>&1)" || _exiterr "Error while fetching OCSP information: ${ocsp_log}" ```
adam closed this issue 2025-12-29 01:26:27 +01:00
adam commented 2025-12-29 01:26:28 +01:00
Author
Owner
Copy Link

@pigfoot commented on GitHub (Nov 25, 2020):

LibreSSL 3+ need the following code:

-        if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then
+        if grep -qE "^(openssl (0|(1\.0))\.)|(libressl (1|2|3)\.)" <<< "$(${OPENSSL} version | awk '{print tolower($0)}')"; then
@pigfoot commented on GitHub (Nov 25, 2020): LibreSSL 3+ need the following code: ```patch - if grep -qE "^(0|(1\.0))\." <<< "$(${OPENSSL} version | awk '{print $2}')"; then + if grep -qE "^(openssl (0|(1\.0))\.)|(libressl (1|2|3)\.)" <<< "$(${OPENSSL} version | awk '{print tolower($0)}')"; then ```
adam commented 2025-12-29 01:26:28 +01:00
Author
Owner
Copy Link

@danimo commented on GitHub (Dec 1, 2020):

I've tested this with libressl 3.2 and the patch works. Thanks.

@danimo commented on GitHub (Dec 1, 2020): I've tested this with libressl 3.2 and the patch works. Thanks.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Complicated
bug
enhancement
help wanted
pull-request
Mirrored from GitHub Pull Request
 suggestions wanted
testing
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/dehydrated#506
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?